---
title: Validating ORAS CLI Binaries
sidebar_position: 10
---

# Validating ORAS CLI Binaries

After finding your [target release](https://github.com/oras-project/oras/releases), 
you may find the releaser's information under the `notes` section.

The following commands can be used to verify the ORAS CLI binaries using GPG:

### Step 1: 

First, we import the releasers' GPG Keys which can be used for verification:

```
$ curl -sSL https://raw.githubusercontent.com/oras-project/oras/refs/heads/main/KEYS | gpg --import -
```

The [GPG keys file](https://github.com/oras-project/oras/blob/main/KEYS) contains the keys which have been used for ORAS releases.

### Step 2: 

You can run the following command to check if the key has been imported. Your output will look something like:

```
$ gpg --list-keys
pub   rsa4096 2023-02-28 [SC] [expires: 2024-02-28]
      BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
uid           [ unknown] Billy Zha <jinzha1@microsoft.com>
pub   rsa4096 2024-12-04 [SC] [expires: 2025-12-04]
      73C7F42E8F0B4493115ABED64F723223E9DF0185
uid           [ unknown] Shiwei Zhang <shizh@microsoft.com>
```

### Step 3: 

Verify our binaries using the command:

```
$ gpg --verify oras_1.0.0_linux_amd64.tar.gz.asc oras_1.0.0_linux_amd64.tar.gz
gpg: Signature made Mon Mar 20 15:51:28 2023 IST
gpg:                using RSA key BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
gpg: Good signature from "Billy Zha <jinzha1@microsoft.com>" [unknown]
```